Hi Guys, Today i would like to show you how a single misconfiguration issue would jeopardize the user’s privacy if maliciously exploited hence hijack user “access_token” from Microsoft Office360 facebook App. Microsoft decided that this Office365 facebook app is NOT under their Microsoft Online Services bug bounty scope although we proved that our discovered bug can result in stealing Microsoft Office facebook App Access Token and that’s due to a misconfiguration in Microsoft Office Facebook App itself.
Remember Cambridge Analytica and the Facebook data leak? It was via one of the application that CA did to harvest the data of millions of American users. That being said, and with this discovered bug can be exploited on large scale user scope of misconfigured Microsoft Office 365 Facebook App to steal the access token of the users who gave access to it hence hijack their private information (data specified in the scope of the fb app itself)
About Microsoft Office facebook App:
Microsoft Office facebook App is used to exchange data with microsoft platforms (outlook, office, office 360, etc..) data like contacts, etc..
Microsoft office facebook app is configured to do a valid redirection to *.outlook.com that means not specified any protocols (http/https) and no subdomains (blah.outlook.com) which with a help of arp poisoning and injecting this piece of code in user’s traffic (any traffic) the attacker will be able to catch the access token among the traffic data, We added “response_type=token” to get the access_token instead of “user code” and because of the fact that a lot of facebook user’s have granted access to a trusted application like this one we *attackers* won’t be bothered by waiting the victim to grant access to the application again (already granted access time before the attack).
The real life attack vectors:
1. [Remotely] Via Invalidated Redirects
As stated in Microsoft Online Services bug bounty rules: “URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)”
We managed to get the following results as PoC examples:
Which will results in stealing user’s access token by redirecting it *in our example domain* to “http://www.steinertglobal.com”
2. [Locally] Via MiTM Attacks
Attackers will be able to gain access to this facebook app permissions after stealing the user’s “access_token“: (offline_access,user_about_me,friends_about_me,email,user_activities,friends_activities,user_birthday,friends_birthday,user_education_history,friends_education_history,user_hometown,friends_hometown,user_interests,friends_interests,user_website,friends_website,user_work_history,friends_work_history,user_status,friends_status,user_photo_video_tags,friends_photo_video_tags,user_photos,friends_photos,user_videos,friends_videos,friends_location,friends_interests)
Hope you enjoyed it.
Your attention please!
Building a website? Or already built a one? Worried about your security? Think twice before going public and let us protect your business!